Anti-Phishing System and Method

ABSTRACT

Systems and methods for anti-phishing are disclosed. At a computing device: identifying, from a user input data stream, a first set of one or more characters, and a second set of one or more characters. The first set of characters represents a portion of first private information, and the second set of characters represents a portion of second private information. In accordance with a determination that the first set of characters and second set of characters are identified in accordance with a predefined sequential relationship, taking a protective action, prior to transmitting at least a subset of the characters of the first or second private information to a server remotely located from the computing device, to protect the first or second private information. In some implementations, the first private information includes a username, and the second private information includes a password corresponding to the username.

RELATED APPLICATION

This application is a continuation of, and claims priority to U.S.patent application Ser. No. 11/500,909, filed on Aug. 9, 2006, entitled“Anti-Phishing System and Method,” now U.S. Pat. No. 8,220,047, which isincorporated herein by reference in its entirety.

FIELD OF THE INVENTION

This invention relates to protection of personal data against phishingtechniques that aim to deceptively obtain personal data from a computeruser.

BACKGROUND OF THE INVENTION

In computing environments, phishing is a criminal activity wherephishers attempt to fraudulently acquire private information, such aspasswords, usernames, credit card details, etc., from a computer user.The term “phishing” refers to the use of electronic “lures” to “fish”for a user's private data, such as through the use of the Internet,email, or an instant message. A phisher typically disguises acommunication to appear to be from a trusted person, entity, or businessand entices the user to disclose private data. Phishing is an increasingproblem, and has prompted legislation, user training, and technicalanti-phishing solutions to protect users. Existing anti-phishingsolutions typically involve constant manual updating, which lags behindphishers' ability to generate new lures, or rely on a user's ability torecognize valid communications.

SUMMARY OF THE INVENTION

These and other drawbacks are overcome through various embodiments ofthe present invention.

Accordingly, various embodiments of the present invention may bedirected to an anti-phishing system and method.

In some implementations, an anti-phishing method includes, at acomputing device having one or more processors, identifying, from a userinput data stream, a first set of one or more characters, and a secondset of one or more characters. The first set of one or more charactersrepresents a portion of first private information, and the second set ofone or more characters represents a portion of second privateinformation. The method further includes, in accordance with adetermination that the first set of characters and second set ofcharacters are identified in accordance with a predefined sequentialrelationship, taking a protective action, prior to transmitting at leasta subset of the characters of the first or second private information toa server remotely located from the computing device, to protect thefirst or second private information. In some implementations, the firstprivate information includes a username, and the second privateinformation includes a password corresponding to the username. In someimplementations, the sequential relationship includes a predefinedmaximum number of characters between the first set of charactersrepresenting the first private information, and the second set ofcharacters representing the second private information.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an exemplary embodiment of a computer network, inaccordance with various embodiments of the invention;

FIGS. 2A-B illustrate an exemplary embodiment of one or more phishingcommunications, in accordance with various embodiments of the invention;

FIG. 3 illustrates an exemplary embodiment of a user computer includingan anti-phishing system, in accordance with various embodiments of theinvention;

FIG. 4 illustrates an exemplary embodiment of a trigger module, inaccordance with various embodiments of the invention;

FIG. 5 illustrates an exemplary embodiment of a process implementedusing an anti-phishing system, in accordance with various embodiments ofthe invention; and

FIG. 6 illustrates an exemplary embodiment of a warning message window,in accordance with various embodiments of the invention.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

The embodiments described herein address many problems with existingsystems and methods. The following description is intended to convey athorough understanding of the embodiments described herein by providinga number of specific embodiments and details involving systems andmethods for implementing anti-phishing based solutions. It should beappreciated, however, that the present invention is not limited to thesespecific embodiments and details, which are exemplary only. It isfurther understood that one possessing ordinary skill in the art, inlight of known systems and methods, would appreciate the use of theinvention for its intended purposes and benefits in any number ofalternative embodiments, depending upon specific design and other needs.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to limit the scope of the presentinvention. As used throughout this disclosure, the singular forms “a,”“an,” and “the” include plural reference unless the context clearlydictates otherwise. Thus, for example, a reference to “a server”includes a plurality of such servers, as well as a single server, andequivalents thereof known to those skilled in the art, and so forth.

Unless defined otherwise, all technical and scientific terms used hereinhave the same meanings as commonly understood by one of ordinary skillin the art to which this invention belongs.

The anti-phishing system and method may be implemented at a usercomputer to evaluate an electronic document (e.g., a webpage) served tothe user computer by a server. As used herein, the term “electronicdocument” should be understood to include a webpage of a website, anemail, an instant message, or other types of document capable ofrendering an image or text to a user (e.g., any document capable ofrendering HTML code or XML code).

The anti-phishing system and method may include one or more modules,including one or more remote modules. As used herein, the term “module”may be understood to refer to a piece of software, firmware, and/orhardware that renders data for use in processing an electronic document.Modules may be personalized to user preferences, preferences of theelectronic document, preferences of the environment, and/or otherinputs.

Various exemplary embodiments provide an improved anti-phishingsolution. From the user's perspective, an improved anti-phishingsolution may involve allowing a computer system to determine whether anelectronic document may be trusted, rather than requiring a user to bevigilant in determining whether an untrusted electronic document isphishing for their private information. According to variousembodiments, one or more modules may detect when the user is potentiallybeing phished by an untrusted electronic document and then may takeappropriate action, including warning the user before they havesubmitted their private information to a server associated with theuntrusted electronic document. Various modules according to exemplaryembodiments may recognize a potential phishing event based on theinformation the user is attempting to submit in an untrustedcommunication (e.g., to an untrusted website, to an untrusted emailrecipient, etc.).

Overview of an Exemplary System

FIG. 1 illustrates an exemplary embodiment of a system 100 implementingan anti-phishing system (APS) 110. The system 100 may include a usercomputer 102, a network 104, a server 106, and a phisher computer 108.The user computer 102 and the phisher computer 108 may be any devicecapable of executing one or more lines of computer code, such as, butnot limited to, a desktop computer, a laptop computer, a notebookcomputer, a mobile phone, a personal digital assistant (PDA),combinations thereof, or other suitable computing devices. In anexemplary embodiment, the server 106 may be a server capable of servingelectronic documents (e.g., webpages) to the user computer 102 over thenetwork 104.

The user computer 102 may include an APS 110 for identifying andpreventing a phishing attack. In other exemplary embodiments, some orall of the APS 110 may be implemented at the server 106. Some or all ofthe functions of the APS 110 may be implemented in software, hardware,and/or firmware. In an exemplary embodiment, the APS 110 may be softwareassociated with a communication tool module, such as, but not limitedto, a web browser, stored on the user computer 102 to monitor theelectronic addresses visited by the user and the data the user exchangeswith the server 106. For example, the APS 110 may be a Firefox extensionthat warns the user before they are about to transmit potentially“sensitive” private information. The APS 110 also may be used with otherbrowsers, such as, but not limited to, Internet Explorer and NetscapeNavigator. The APS 110 may be storeable on a tangible media and may beimplementable on a computing device. For example, the APS 110 may bestored on one or more of a recordable storage media, such as, but notlimited to, a computer disk, on one or more computing devices, on one ormore servers, combinations thereof, and/or on other devices suitable forstoring software.

A phisher, using the phisher computer 108, may create an electronicdocument that appears to be from a trusted provider, such as, but notlimited to, from a bank with which the user has an account. The phishermay transmit the electronic document to the user computer 102 in anattempt to deceive the user into thinking that the electronic documentis from the trusted provider in order to obtain private information fromthe user. In other exemplary embodiments, the phisher may create anelectronic document (e.g., a website) that the server 106 may serve tothe user computer 102.

FIG. 2A illustrates an exemplary embodiment of an interface (e.g., agraphical user interface (GUI)) that may display a phishing window 200presented to a user by an electronic document from the phisher computer108. The phishing window 200 may be a pop-up ad, an email addressed tothe user, an instant message, a website, and/or other suitable mannersof displaying an electronic message to a user. The phishing window 200may emulate various features associated with a trusted provider, and mayappear similar to an electronic document of the trusted provider. Forexample, the electronic document may include logos and/or otherinformation identifying a bank of the user.

To deceive the user, the phishing window 200 may include a messageinstructing the user to follow a link (e.g., a URL) in the electronicdocument to an untrusted electronic document, such as, but not limitedto, an untrusted webpage, to “verify” their private information. Themessage may indicate that the user has won a prize, that someone else isillegally trying to access their account, or other deceptive messages inan attempt to have the user follow the link and disclose their privateinformation. In the depicted exemplary embodiment, the phishing window200 includes a message indicating that the user has been selected toreceive a prize. The phishing window 200 instructs the user to click ona link to a website to verify their account.

FIG. 2B illustrates an exemplary embodiment of an untrusted electronicdocument 202. As depicted, the untrusted electronic document 202 mayrequest that the user enter their username and password to “verify”their account in order to redeem the prize. In effect, the message ofthe untrusted electronic document 202 may attempt to deceive the userinto disclosing their private information. The untrusted electronicdocument 202 also may include a logo 204 or other information to deceivethe user into believing that the untrusted electronic document 202 isactually associated with the trusted provider (e.g.,www.trustedwebsite.com). In various other exemplary embodiments, theuntrusted electronic document 202 may use other types of deceptivemessages and may request other types of private information from theuser. If the user discloses the private information in response to theuntrusted electronic document 202, the phisher may then use the privateinformation to fraudulently gain access to the user's account. Forexample, the phisher may use the username and password to access theuser's email, an online banking account, and/or online gaming account tosteal information, money, and/or other things the user values andprotects with private information.

Phishing websites may all be attempting to deceive the user intodisclosing the same private information, such as, but not limited to,one or more of a user name, a password, a credit card number, a creditcard verification (CCV) code, account details, a user's address, auser's mother's maiden name, a user's social security number,combinations thereof, and/or other similar types of private informationthat a user may have. For the most part, these types of privateinformation may not change very frequently. For example, a user'susername this week may probably be the same next month. Additionally,users may tend to use the same private information at multiple websites.For example, a user's online banking password for one website may oftenbe the same as a user's online password for another website.Conventional wisdom may believe that having a common password formultiple websites is bad for computer security, as it may mean that anattacker who learns a login and/or password for one of the user'saccounts can easily access other accounts. According to exemplaryembodiments, the APS 110 may take advantage of this infrequent change ofprivate information to protect the user from phishing attacks.

Exemplary System Architecture

FIG. 3 illustrates an exemplary embodiment of a user computer 102including an APS 110, a communication tool module 312, and a cachedatabase 318. The communication tool module 312 may include atransmission module 314 for receiving a user input data stream from theAPS 110 and communicating the user input data stream across the network104. In an exemplary embodiment, the communication tool module 312 mayinclude a browser or other user interface to permit the user tocommunicate with various devices across the network 104.

The cache database module 316 may store, access, and retrieve privateinformation from the cache database 318. The cache database 318 maystore a user's private information such as, but not limited to, a user'suser names, passwords, the domain names and/or providers with which theyare associated, and/or personal information, such as, but not limitedto, a home address, a pet's name, a family member's name, a socialsecurity number, combinations thereof, and other types of information auser may disclose when signing up for an account. In an exemplaryembodiment, the cache database module 316 may be a password manager thatstores various types of private information associated with a domainname or a computing device. For example, the cache database module 316may store a username, a password, and a domain name in the cachedatabase 318 corresponding to a particular website or a particularcomputing device. In an exemplary embodiment, the cache database module316 may be the Firefox Password Manager, which stores the combination ofusername+password+domain that correspond to a particular website. Otherpassword managers also may be used.

In an exemplary embodiment, the cache database module 316 may monitorthe private information the user discloses to various providers over thenetwork 104. For example, as a user visits a website during webbrowsing, the cache database module 316 may store in the cache database318 private information entered by the user while creating an accountand may associate the stored private information with the domain name ofthe website. In a further example, the user may enter login privateinformation to login to a computing device across the network 104 andthe cache database module 316 may store the login private information inthe cache database 318 and may associate the stored login privateinformation with the computing device.

The APS 110 may include one or more of the following modules: a userinput module 302, a trigger module 304, a detection module 306, anaction module 308, and a message module 310.

The user input module 302 may receive a user input data streamcorresponding to user input at a keyboard and/or a mouse of the usercomputer 102. For example, the user may enter various sequences ofnumbers, letters, and/or symbols when interacting with the user computer102. The user input module 302 may identify and may use the varioussequences for communicating with the server 106.

The trigger module 304 may generate, receive, store and/or coordinateone or more trigger events. The trigger events may be based on theprivate information of the user and may be used to trigger when the APS110 performs further processing to determine whether to take an actionto protect the private information. Each trigger event may be used indetermining whether user input data includes one or more characters ofthe private information.

The detection module 306 may monitor the user input data streamtemporally and/or sequentially for various character sequences toidentify one or more characters of the private information correspondingto the trigger events.

The action module 308 may take an action based on the detection module306 identifying a trigger event. The action module 308 may instruct thecommunication tool module 312 to display a warning message, authenticatethe server 106, instruct the transmission module 314 to stoptransmitting the user input data stream to the server 106, and/or otheractions to protect the private information.

FIG. 4 illustrates an exemplary embodiment of the trigger module 304.The trigger module 304 may include a private information module 402, aforwarding information module 404, a connection information module 406,an electronic content information module 408, a complexity informationmodule 410, a data transfer information module 412, an accountinformation module 414, and a format information module 416. The triggermodule 304 may generate, receive, store and/or coordinate one or moretrigger events based on the various modules 402-416. The trigger eventsmay correspond to sequences of characters identified in the use inputdata stream indicating that the APS 110 may determine whether to take anaction to protect the private information.

Trigger events may balance the interest of protecting the user's privateinformation against the interest of excessively warning the user (i.e.,too high of a false positive error rate). If the protection of theuser's private information is too low (i.e., the APS 110 does not warnthe user and/or otherwise prevent the phishing attack), then the APS 110may not be useful to the user. On the other hand, if the protection ofthe user's private information is too high, then the APS 110 maygenerate too many messages incorrectly warning the user that theuntrusted electronic document may be fraudulently attempting to obtaintheir private information, thereby interfering with the user's normaldata communication experience. This may frustrate the user and promptthe user not to use the APS 110. The APS 110 may set the trigger eventsto accomplish both protecting the user's private information andminimizing the false positive error rate.

The trigger events may be based on one or more types of information thatmay be generated by the various modules 402-416. In an exemplaryembodiment, the trigger events may be based on the private information,forwarding information, connection information, data transferinformation, electronic content information, complexity information,format information, account information, alone or in combination, eachof which are described in detail below corresponding to the associatedmodule 402-416. These types of information may be used to balanceprotecting the user against too high of a false positive error rate.

The private information module 402 may retrieve stored privateinformation from the cache database 318. Based on the retrieved privateinformation, the private information module 402 may determine certaininformation about the user. For example, the private information module402 may determine that a user has an account with certain providers(e.g., a bank, email providers, online gambling providers, etc.), howthe user electronically accesses these providers (e.g., at their websitewww.trustedbank.com, logging into their server, etc.), and any types ofprivate information stored in the cache database 318 (e.g., username,password, etc.). This may allow the private information module 402 tolearn about and access the private information of the user withouthaving the user manually input the private information. Thus, the APS110 may protect the user's private information with only minimal inputfrom the user. In other exemplary embodiments, the private informationmodule 402 may prompt the user to enter the private information and theproviders with which the private information is associated. One or morecharacters of the private information obtained by the privateinformation module 402 may be associated with a trigger event todetermine when the user may be transmitting private information inresponse to the untrusted electronic document.

In an exemplary embodiment, the trigger module 304 may generate atrigger event based on the private information including a username, apassword, and a domain name. The trigger event may indicate that furtherprocessing may be necessary by the APS 110 to determine whether to takean action to protect the private information when one or more charactersof the username, password, and/or domain name are identified in the userinput data stream.

The forwarding information module 404 may generate forwardinginformation. The forwarding information may identify what type ofelectronic document directed the user to the untrusted electronicdocument and the content of the directing electronic document. Forexample, the forwarding information module 404 may indicate in theforwarding information that the electronic document directing the userto the untrusted electronic document is an email, an instant message, apop-up ad, a search engine, combinations thereof, and/or other suitableelectronic documents for directing a user to a website. The forwardinginformation also may indicate that the user entered an address (e.g., aURL, a network address) in an address bar of a browser and may not havebeen redirected by an electronic document.

The forwarding information module 404 also may indicate in theforwarding information the content of the directing electronic document.In an exemplary embodiment, the forwarding information module 404 mayevaluate the code of the directing electronic document, such as, but notlimited to, HTML, XML, etc., and any images presented to the user in thedirecting electronic document, both or other items as well, to identifyif the directing electronic document is soliciting private informationfrom the user. The forwarding information module 404 also may useoptical character recognition (OCR) to identify if any images within thedirecting electronic document solicit private information from the user.Phishers have been known to include messages soliciting privateinformation in images placed in electronic documents to avoid a spamfilter from detecting these types of messages in the underlying browsercode, even going so far as to break an image into multiple pieces tomake it difficult to view unless rendered for the user. Generating atemporary output and OCRing that output of the image generated may allowthe system to identify fraudulent messages included in one or moreimages.

The trigger module 304 may generate a trigger event based on theforwarding information. In an exemplary embodiment, the trigger eventmay indicate that further processing may be necessary by the APS 110 todetermine whether to take an action to protect the private informationwhen the user has been redirected from an email, instant message, apop-up ad, etc., to a website, but may indicate that further processingis not necessary when the user has entered the address of a provider inan address bar of the communication tool module 312 or clicked on a linkpresented by a search engine. In other exemplary embodiments, thetrigger event may indicate that processing may be necessary by the APS110 when the content of the directing electronic document solicits theuser for a username and password, but may indicate that furtherprocessing is not necessary when the electronic document does notsolicit private information.

The connection information module 406 may indicate in the connectioninformation what type of connection protocol is being used fortransmitting data between the user computer 102 and the server 106. Inan exemplary embodiment, the connection information module 406 maydetermine whether the connection protocol is a secured connectionprotocol, such as, but not limited to, secure socket layer (SSL), anencrypted protocol, other protocols used to protect data fortransmission over the network 104, or a non-data protecting protocol.The secured connection protocol may provide endpoint authentication andcommunications privacy over the network 104 using cryptography and othersuitable data protection. The secured connection protocol mayauthenticate the server 106 (i.e. to ensure its identity), the usercomputer 102, both, or other authenticate other devices. In an exemplaryembodiment, the secured connection protocol may allow the user computer102 and the server 106 to communicate in a way designed to preventeavesdropping, tampering, and/or message forgery. In contrast, anon-data protecting protocol may not: provide any authentication of theserver 106; encrypt of the transmitted data; and/or provide protectionfor the transmitted data.

The trigger module 304 may generate a trigger event based on theconnection information. In an exemplary embodiment, the trigger eventmay indicate that further processing may be necessary by the APS 110 todetermine whether to take an action to protect the private informationwhen the connection protocol does not provide any type of protection forthe private information, and may indicate that further processing is notnecessary when the connection protocol provides data protection.

The electronic content information module 408 may indicate in theelectronic content information whether the untrusted electronic documentmay be soliciting private information from the user. In exemplaryembodiment, the electronic content information module 408 may evaluatethe content of the untrusted electronic document to determine what ifuntrusted electronic document is soliciting private information. Forexample, the electronic content information module 408 may determinewhether the untrusted electronic document includes a field requestingthe user enter a username and password, a credit card number, a socialsecurity number, a home address, a bank account number, etc., and/orother types of private information. To determine this, the electroniccontent information module 408 may evaluate either the underlying codeof the untrusted electronic document, such as, but not limited to, HTML,XML, etc., any single or combinations of images presented to the user,both or other items as well, for text soliciting private informationfrom the user. The electronic content information module 408 also mayuse optical character recognition (OCR) to render and to identify if theuntrusted electronic document is soliciting private information withinone or more images. The electronic content information module 408 alsomay determine if the untrusted electronic document includes any dataobscuring fields, such as, but not limited to, fields that display oneor more “*” characters in the field instead of the actual characterstyped by the user.

The trigger module 304 may generate a trigger event based on theelectronic content information. In an exemplary embodiment, the triggerevent may indicate that further processing may be necessary by the APS110 to determine whether to take an action to protect the privateinformation before all of the characters in the private information havebeen entered when the untrusted electronic document is solicitingprivate information, and that further processing may not be necessaryuntil all of the characters in the private information have been enteredwhen the untrusted electronic document is not soliciting privateinformation.

The complexity information module 410 may generate complexityinformation to identify the complexity of a user's private information,which may be a string of characters. The complexity information maydetermine what types of characters are used in the private information,and the commonness of the private information. Commonness may refer tothe probability that a phisher may be able to determine all of thecharacters of the private information without having to receive everysingle character. Typically, a short dictionary word or a shortsequential string of numbers may be easy to guess if the phisher isaware of several of the letters or numbers in the string (e.g., a fourdigit pin number may be simple to guess if the phisher knows the firstthree digits). Users who may not be very sophisticated may use commondictionary words as a username or as a password, and these types ofunsophisticated users are more likely to fall for a phishing attack. Incontrast, multi-case, alpha-numeric-symbol strings are more difficultfor a phisher to guess or determine using a brute force code.

The complexity information module 410 may determine if the characters ofthe private information are: (1) a string of one or more letters and thecase of each of the letters, which may be in one or more differentlanguages, (2) a string of one or more numbers; (3) a string of symbols(e.g., ‘*,’ ‘̂’, ‘§,’ etc.), and/or (4) a string containing a combinationof letters, numbers, and/or symbols, etc. The complexity informationmodule 410 may then rate the private information based on the charactersof the private information and include the rating in the complexityinformation. The ratings may sort the private information into one ormore levels based on the length of the private information and thecharacters in the private information.

The following provides a description of exemplary levels used by thecomplexity information module 410; however, other levels of privateinformation also may be used. The levels may range from less complexprivate information to more complex private information. A first levelmay include the least complex private information (i.e., easiest toguess). Generally, less complex private information may be easier for aphisher to guess or determine using a brute force code. The first levelmay include short and common dictionary words all in lower case (e.g.,“god,” “money,” “jesus,” “and “love”) and short sequential numbersequences (e.g., “456”). A second level may include longer and lesscommon dictionary words in lower case, such as, but not limited to,“extrovert,” shorter multi-case common dictionary words, such as, butnot limited to, “gOd,” and short non-sequential number sequences (e.g.,“157”). A third level may include multi-case longer common dictionarywords (e.g., “eXTroveRT”), longer strings of numbers (e.g.,“942340623”), and non-dictionary word letter strings (e.g., “abrscf”). Afourth level may include multi-case alpha-number-symbol characterstrings (e.g. “23Rxt#% x,” “jEsu5”). The above levels are exemplary,fewer or greater numbers of levels may be used, and the content of theprivate information within each of the levels may be varied.

The trigger module 304 may generate a trigger event based on thecomplexity information. In an exemplary embodiment, the trigger eventmay be used to indicate that further processing may be necessary by theAPS 110 to determine whether to take an action to protect the privateinformation after only one or a few of the characters of the privateinformation have been entered for complex private information, andfurther processing may be necessary after identifying most or all of thecharacters of less complex private information in combination withidentifying other private information. In an exemplary embodiment for acomplex password, the trigger event may be used to identify that theinput data stream includes private information every time the detectionmodule 306 identifies at least a portion of a more complex password thata user is unlikely to use in a non-login event. For example, a user withthe complex password “jEsu5” likely only uses this password during alog-in event, and thus it may be likely that the user may have beendeceived by a phishing attack when using one or more characters of thispassword.

In contrast, when a username and password are both less complex privateinformation, then the trigger event may occur when some or all of one ofthe characters of a username or password is identified, and one or morecharacters of the other of the username or password is also identified.In an exemplary embodiment, if the private information is a username“smith” with an associated password “cat,” once the user has enteredeither “smith,” the trigger event may indicate that the user istransmitting private information if, temporally and/or sequentially nearto the username in the user input data stream, the detection module 306identifies one or more letters of the password “cat.”

The data transfer module 412 may generate data transfer information thatidentifies whether the untrusted electronic document uses any real-timedata transfer technology. In an exemplary embodiment, the data transfermodule 412 may identify if the untrusted electronic document uses areal-time data transfer technology that transmits data entered by theuser at the user computer 102 to the server 106 in real-time. Once suchtechnology is Asynchronous JavaScript and XML (AJAX), which transmitsdata to the server 106 as the user types the data at a keyboard of theuser computer 102. Real-time transfer technologies are potentiallydangerous to users because the server 106 may receive the informationfrom the user in real-time without having to wait for the user to sendthe information (e.g., click a “send” button). For example, if the userenters all but the final character or characters of the privateinformation and AJAX has transmitted the characters to the server 106,the last character may, in certain instances, be easily guessed ordetermined by various techniques (e.g., a quick brute force search bysoftware or human guess). In contrast, the data transfer module 412 mayidentify that the untrusted electronic document uses non-real-time datatransfer technology, where data may only be forwarded to the server 106after decides to submit the data. For example, the user may click“submit” field in the untrusted electronic document to transfer data tothe server 106.

The trigger module 304 may generate a trigger event based on the datatransfer information. In an exemplary embodiment, the trigger event maybe used to indicate that further processing may be necessary by the APS110 to determine whether to take an action to protect the privateinformation before all of the characters in the private information havebeen entered when the server 106 associated with the untrustedelectronic document may be using real-time data transfer technology, andthat further processing may not be necessary until all of the charactersin the private information have been entered when the server 106associated with the untrusted electronic document is not using real-timedata transfer technology.

The account information module 414 may retrieve account information fromthe cache database 318 that identifies personal information about theuser typically given when one signs up for an account. For example, theaccount information may be one or more of a user's: name (e.g.,“Christopher Jones”), home address, social security number, familymember's name (e.g., mother's maiden name), pet's name, etc.,combinations thereof, and/or other similar information typically givenby a user when signing up for an account (e.g., a bank account). Theaccount information may be obtained from the cache database 318, whichmay be populated with the account information as the user signs up forvarious accounts, and also may be obtained from an auto-fill-formsfeature of the communications tool module 312 that automatically fillsin forms based on previously entered information. The accountinformation module 414 also may prompt the user for the accountinformation. The account information may be indicative of a user signingup for an account and may be used to confirm the possibility that theuntrusted electronic document may have misled the user into believingthat the untrusted electronic document is a trusted provider, when infact, it may not be.

The trigger module 304 may use the account information to generate atrigger event. In an exemplary embodiment, the trigger event may be usedto indicate that further processing may be necessary by the APS 110 todetermine whether to take an action to protect the private informationbefore all of the characters in the private information have beenentered when the user input data stream includes one or more charactersof a user's social security number, and that further processing may notbe necessary when the user input data stream does not include the socialsecurity number.

The format information module 416 may generate format information thatmay be used to generate trigger events based on the format of certaintypes of private information. These types of trigger events may protectthe private information of a user that cache database 318 may not bepermitted to store. Certain types of private information use a commonformat and have certain characteristics within the format that may beused to identify that they are private information, even if the APS 110may not be aware of the private information. One such example may becredit card numbers. The APS 110 may be able to identify credit cardnumbers in the user input data stream based on the format of the numberbefore the entire credit card number has been entered by the user. In anexemplary embodiment, based on the cache database 318 or a cachedhistory of visited websites, the format information module 416 may inferthat a user has a credit card associated with a particular bank, whichmay be used in the format information for determining when characters inthe user input data stream correspond to the user's credit card number.

Credit card numbers often have a certain amount of internal structure,and share a common numbering scheme. Most credit card numbers are aspecial case of International Organization for Standardization (ISO)7812 numbers. An ISO 7812 number contains a single-digit major industryidentifier (MII), a six-digit issuer identifier number (IIN), an accountnumber, and a single digit checksum. The card number's prefix is thesequence of digits at the beginning of the number that determine thecredit card network to which the number belongs. The first six digits ofthe credit card number are known as the Bank Identification Number(BIN), which identifies the institution that issued the card to the cardholder. The rest of the credit card number is allocated by the issuer,and the checksum is the last digit that is used to confirm the precedingdigits of the credit card number. Additionally, many credit cardsinclude a CCV code, which is typically several digits printed on thesignature strip on the back of the card.

Based on knowledge of the ISO 7812 standard, the trigger module 304 maygenerate a trigger event that identifies when the user may be inputtingvalid a credit card number to the user computer 102. In an exemplaryembodiment, the trigger event may correspond to a BIN of a bank withwhich the user holds an account. For example, users having accounts withone bank may have predetermined numbers assigned for the first fournumbers of the credit card account number, which the trigger module 304may set as the trigger event.

In other exemplary embodiments, the trigger module 304 may generate atrigger event corresponding to all of the digits corresponding to knowncredit card numbers (e.g., most credit card issuers use sixteen digits,but other numbers of digits also may be used) and the detection module306 may use the checksum to confirm that the digits correspond to avalid credit card number, instead of a random number (e.g., a randomsixteen digit number as compared with a sixteen digit credit cardnumber).

In further exemplary embodiments, the trigger module 304 may generatetrigger events based on various combinations of one or more of theprivate information, the forwarding information, the connectioninformation, the data transfer information, the electronic contentinformation, the complexity information, the format information, and theaccount information received from the various modules 402-416. Thevarious combinations also may be weighted relative to one another forgenerating a trigger event determining when the APS should performfurther processing to determine whether to take an action to protect theprivate information.

In an exemplary embodiment, the trigger module 304 may generate atrigger event corresponding to a home address from the accountinformation and a low complexity username and password from thecomplexity information. The detection module 306 may determine that theAPS 110 may conduct further processing to determine whether to take anaction to protect the private information after identifying, in the userinput data stream, the home address, one or more characters of theusername, and/or one or more characters of the password.

In a further exemplary embodiment, the trigger module 304 may generate atrigger event when most of the characters of private information areidentified in a user input data stream. For example, in the situationwhere the forwarding information indicates that the user has entered aURL into an address bar of the communication tool module 312, theconnection information indicates that the user computer 102 iscommunicating with the server 106 using an encrypted secured connectionprotocol, the complexity information indicates that the privateinformation is a common dictionary word password, the electronic contentinformation indicates that the user is not being solicited by thewebsite for private information, and the data transfer informationindicates that the server 106 associated with the untrusted electronicdocument is not using real-time transmission technology to transmit thedata input by the user as the user types on the keyboard, the triggermodule 304 may set the trigger event to only determine that the user isinputting private information after the user has entered most or all ofthe characters associated with the private information.

In yet another exemplary embodiment, the trigger module 304 may generatea trigger event when only a few of the characters of the privateinformation are identified in a user input data stream. For example, inthe situation where the forwarding information indicates that the userhas clicked on an image in an email and was redirected to a website, theelectronic content information indicates that the user is beingsolicited for private information, the complexity information indicatesthat the users has a complex non-dictionary word password, and the datatransfer information indicates that the website uses software thatforwards every character to the server 106 in real-time, the triggerevent may indicate that the user is entering private information whenthe user has entered only a few characters of the private information.These embodiments describing setting trigger events based on variouscombinations of information are exemplary, other weighted andnon-weighted combinations also may be used.

Exemplary Process

FIG. 5 illustrates a flow diagram depicting exemplary acts that may beperformed. The flow diagram 500 may begin at block 502 and continue toblock 504.

In block 504, the APS 110 may communicate with the cache database module316 to obtain one or more types of private information from the cachedatabase 318.

In block 506, the APS 110 may generate one or more triggers events toprotect the private information. The trigger module 304 of the APS 110may process the private information at one or more of the modules402-416 to generate one or more types of information. The trigger eventsmay correspond to when the trigger module 304 determines that the usermay be entering one or more characters of private information inresponse to an untrusted electronic document and that the APS 110 mayneed to perform further processing to determine whether to take furtheraction to protect the private information against a possible phishingattack. The trigger events may identify that a user is entering privateinformation before or after the user has input all of the characters ofthe private information.

In block 508, the APS 110 may monitor characters in the user input datastream of data input by the user at the user computer 102. The userinput module 302 of the APS 110 may receive one or more characters thatform a user input data stream of user input entered by the user at akeyboard and/or mouse of the user computer 102. The detection module 306may monitor each character, such as, but not limited to, numbers,letters, symbols, movements, etc., input by the user at the usercomputer 102 in the user input data stream temporally and/orsequentially. The detection module 306 also may monitor characterscopied into any fields of the untrusted electronic document from anotherfile of the user computer 102.

In block 510, the detection module 306 may identify if one or morecharacters in the user input data stream correspond to one or morecharacters of the private information associated with a trigger event.For example, the trigger event may indicate that the APS 110 may performfurther processing to verify the untrusted electronic document whenthree letters of a complex password are identified in the user inputdata stream.

In block 512, the action module 308 of the APS 110 may compare acommunication address of the untrusted electronic document with awhitelist of trusted addresses for trusted electronic documents. Awhitelist of trusted address may be a list of addresses of sources forelectronic documents that the user indicates may be trusted. Forexample, the whitelist of trusted address may include addresses ofnon-phishing websites, trusted computers, trusted servers, and/or othertrusted communication devices.

Initially, the whitelist may be empty. The whitelist may be populated bythe user with addresses of trusted electronic documents as the uservisits and adds addresses to the whitelist, as discussed below, oralternatively, the APS 110 may prompt the user to identify one or moreaddresses of trusted electronic documents to add to the whitelist. In afurther alternative exemplary embodiment, a company, such as Google, maymaintain a whitelist of trusted addresses for electronic documents thatthe APS 110 may download. If the address of the untrusted electronicdocument is on the whitelist, the flow diagram 500 may then continue to518 and may permit the user to communicate the private information andany other information with the server 106. In other exemplaryembodiments, the APS 110 may compare the address of the untrustedelectronic document with the whitelist of addresses for trustedelectronic documents before generating any trigger events. If theaddress of the untrusted electronic document is not on the whitelist,the flow diagram 500 may then continue to 514.

In block 514, the action module 308 of the APS 110 may take an action toprotect the private information. In an exemplary embodiment, the actionmay be one or more of instructing the transmission module 314 to stopdata transmission across the network 104, instructing the message module310 to display a message to the user, authenticating the server 106,and/or other actions to protect the user's private information.

In an exemplary embodiment, the message may remind the user that theprivate information they have entered is currently associated with oneor more other provider(s) (i.e., a trusted provider(s)), which maydiffer from the provider of the untrusted electronic document. Themessage also may display one or more links corresponding to trustedcommunication documents associated with the trusted providers from thewhitelist. Also, the action module 308 may obtain a logo from a digitalcertificate of the trusted provider, and forward the logo to the messagemodule 310. In an exemplary embodiment, the digital certificate may be ax.509 certification associated with the trusted website and/or provider.The message module 310 may display the logo in the message to visuallyremind the user with which trusted provider the private information isassociated.

The message also may include various warnings based on the informationused by the trigger module 304 to generate the trigger event. In anexemplary embodiment, the message may include one or more of privateinformation, forwarding information, connection information, datatransfer information, electronic content information, complexityinformation, format information, account information, alone or incombination, associated with the trigger event. For example, the messagemay indicate that the electronic content information indicates that theuntrusted electronic document is soliciting private informationassociated with a trusted provider, but that the address of theuntrusted electronic document does not correspond to the address of thetrusted provider. In further examples, the message may warn the useranytime that the untrusted electronic document is not using a securedconnection protocol, such as a non-SSL protected connection, to protectthe private information.

FIG. 6 illustrates an exemplary embodiment of a warning message window600. In the depicted exemplary embodiment, the message warning may statethat:

-   -   It looks like you're signing in to an account with private        information that you would normally use with Trusted Bank. If        you are using this same information with this new account, click        OK to add it to the list of accepted sites. If you believe this        is Trusted Bank, someone may be trying to defraud you. Click        CANCEL to stop transmission of the private information.

If the user clicks OK, the action module 308 may add the address of theuntrusted electronic document to the whitelist and identify theuntrusted electronic document as a new trusted website. The flow diagram500 may then continue to block 518, where the APS 110 may permit theuser to enter any information for transmission to the new trustedwebsite and the flow diagram 500 may continue to block 520 and end.

In block 514, if the user selects not to add the untrusted electronicdocument to the whitelist, the action module 308 may instruct thetransmission module 314 to stop and/or prevent transmission of anyuntransmitted private information in the user input data stream to theserver 106. In other exemplary embodiments, the action module 308 mayredirect the communication tool module 312 to a trusted provider, and/oralso may automatically report or prompt the user to report the untrustedelectronic document to a company that monitors phishing.

It is noted that the APS 110 may not perform all of the exemplaryprocesses depicted in FIG. 3. In simplified exemplary embodiment, theAPS 110 may compare the address of an untrusted electronic document witha whitelist of trusted addresses for electronic documents. If the APS110 finds a match, then the APS 110 may permit the user to transmit anyinformation with the server 106 of the electronic document. If the APSdoes not find a match, the APS 110 may monitor the characters entered bythe user at the user computer 102, compare the characters with storedprivate information, determine that the user has entered some or all ofthe characters corresponding to one or more types of stored privateinformation, and then take an action to protect the private information,such as displaying a message that the untrusted electronic document maybe attempting to defraud the user. The user's response to the messagemay determine whether to permit further transmission of privateinformation to the server 106.

Additional Examples

The following provides two examples of the APS 110 protecting a user'sprivate information. In the first example, the private information maybe a credit card number, and the trigger module 304 may generate atrigger event based on information received from the format informationmodule 416. In this example, the format information module 416 may querythe cache database 318 and may identify that the user has an accountwith Trusted bank. Based on ISO 7812, the format information module 416indicates in the format information the BIN of Trusted bank (e.g.,“3434”). The trigger module 304 receives the format information from theformat information module 416 and generates a trigger event based onidentifying “3434” in the user input data stream.

Using the communication tool module 312, the user may access the websitewww.trustedshoes.com from the server 106 and may input data fortransmission to the server 106. The detection module 306 may monitor theuser input data stream for the number string “3434.” If the detectionmodule 306 identifies “3434” in the user input data stream, the actionmodule 308 may compare the address of the website (i.e.,www.trustedshoes.com) with the whitelist of trusted addresses. In thisexample, the whitelist may not include www.trustedshoes.com. The actionmodule 308 may then instruct the transmission module 314 to stoptransmission of data to the server 106, may authenticate the server 106to confirm that the server 106 is associated with the provider (i.e.,Trusted Shoes), and may instruct the message module 310 to display amessage to the user at the user computer 102. The message may statethat: “It appears that you're entering your credit card number atwww.trustedshoes.com. We have confirmed that this website corresponds toTrusted Shoes. Click OK to add their website to the list of trustedwebsites. If you believe this is someone other than Trusted Shoes,someone may be attempting to defraud you. Click CANCEL to end thistransmission.” Based on the user's selection, the APS 110 may permit theuser to enter their credit card number or may end the transmission.

In the second example, the private information may be a username andpassword, and the trigger module 304 may generate a trigger event basedon information received from the complexity information module 410. Inthis example, the complexity information module 410 may query the cachedatabase 318 and may identify that the private information of the useris a username and password that are both common dictionary wordsassociated with www.trustedbank.com. For example, the username may be“bob” and the password may be “cat.” The trigger module 304 may generatea trigger event for identifying when portions of both of the usernameand password appear near to one another temporally and/or sequentiallyin the user input data stream. For example, the trigger event maycorrespond to identifying “bob” and “ca” or “bo” and “cat” within 50characters of one another within the user input data stream.

Using the communication tool module 312, the user may receive an emailfrom “youraccount@trunstedbank.com,” which redirects the user to thewebsite www.trunstedbank.com and is associated with the server 106. Thedetection module 306 may monitor the user input data stream for “bob”and “ca” or “bo” and “cat” within 50 characters of one another. If thedetection module 306 identifies either in the user input data stream,the action module 308 may compare the address of the website (i.e.,www.trunstedbank.com) with the whitelist of trusted addresses. In thisexample, the whitelist does not include www.trunstedbank.com because ofthe misspelling of the word “trusted.” The action module 308 may theninstruct the transmission module 314 to stop transmission of the userinput data stream to the server 106, may attempt to authenticate theserver 106 to confirm that the server 106 is associated with theprovider (i.e., Trusted Bank), and may instruct the message module 310to display a message to the user at the user computer 102. The messagemay state that: “It appears that you're entering your username andpassword at www.trunstedshoes.com. We have not been able to confirm thatthis website is associated with Trusted Bank. If you believe that thiswebsite is from Trusted Bank, someone may be attempting to defraud you.Click CANCEL to end this transmission. Click OK to add this website tothe list of trusted websites.” Based on the user's selection, the APS110 may permit the user to enter their username and password or may endthe transmission.

Thus, the above exemplary embodiments of the APS 110 may provide userswith protection against phishing attacks based on the types of privateinformation phishers are attempting to retrieve.

The exemplary embodiments of the present invention are not to be limitedin scope by the specific embodiments described herein. For example,although many of the embodiments disclosed herein have been describedwith reference to anti-phishing systems, particularly with reference towebsites, the principles herein are equally applicable to protectingusers from other types of electronic document displays other thanwebsites which attempt to fraudulently obtain private information fromthe user. Indeed, various modifications of the embodiments of thepresent inventions, in addition to those described herein, will beapparent to those of ordinary skill in the art from the foregoingdescription and accompanying drawings. Thus, such modifications areintended to fall within the scope of the following appended claims.Further, although some of the embodiments of the present invention havebeen described herein in the context of a particular implementation in aparticular environment for a particular purpose, those of ordinary skillin the art will recognize that its usefulness is not limited thereto andthat the embodiments of the present inventions can be beneficiallyimplemented in any number of environments for any number of purposes.Accordingly, the claims set forth below should be construed in view ofthe full breath and spirit of the embodiments of the present inventionsas disclosed herein.

1. A method comprising: at a computing device having one or moreprocessors: identifying, from a user input data stream, a first set ofone or more characters, wherein the first set of one or more charactersrepresents a portion of first private information; identifying, from theuser input data stream, a second set of one or more characters, whereinthe second set of one or more characters represents a portion of secondprivate information; and in accordance with a determination that thefirst set of characters and second set of characters are identified inaccordance with a predefined sequential relationship, taking aprotective action, prior to transmitting at least a subset of thecharacters of the first or second private information to a serverremotely located from the computing device, to protect the first orsecond private information.
 2. The method of claim 1, wherein the firstprivate information includes a username, and the second privateinformation includes a password corresponding to the username.
 3. Themethod of claim 1, wherein the sequential relationship includes apredefined maximum number of characters between the first set ofcharacters representing the first private information, and the secondset of characters representing the second private information.
 4. Themethod of claim 1, further comprising: generating a trigger event, andwherein the identification of the first set or second set of charactersis in response to the trigger event.
 5. The method of claim 4, whereinthe trigger event is generated based at least in part on one of:forwarding information, connection information module, electroniccontent information, complexity information, data transfer information,account information, or format information module.
 6. The method ofclaim 1, wherein taking the protective action includes one of:authenticating the remote server, stopping transmitting the subset ofthe characters to the remote server, or displaying a warning message. 7.The method of claim 6, wherein the displayed warning message includes alogo obtained from a digital certificate of a provider.
 8. A system,comprising: one or more processors; memory; and one or more programs,wherein the one or more programs are stored in the memory and configuredto be executed by the one or more processors, the one or more programsincluding instructions for: identifying, from a user input data stream,a first set of one or more characters, wherein the first set of one ormore characters represents a portion of first private information;identifying, from the user input data stream, a second set of one ormore characters, wherein the second set of one or more charactersrepresents a portion of second private information; and in accordancewith a determination that the first set of characters and second set ofcharacters are identified in accordance with a predefined sequentialrelationship, taking a protective action, prior to transmitting at leasta subset of the characters of the first or second private information toa server remotely located from the computing device, to protect thefirst or second private information.
 9. The system of claim 8, whereinthe first private information includes a username, the second privateinformation includes a password corresponding to the username.
 10. Thesystem of claim 8, wherein the sequential relationship includes apredefined maximum number of characters between the first set ofcharacters representing the first private information, and the secondset of characters representing the second private information.
 11. Thesystem of claim 8, wherein the one or more programs further comprisinginstructions for: generating a trigger event, and wherein theidentification of the first set or second set of characters is inresponse to the trigger event.
 12. The system of claim 11, wherein thetrigger event is generated based at least in part on one of: forwardinginformation, connection information module, electronic contentinformation, complexity information, data transfer information, accountinformation, or format information module.
 13. The system of claim 8,wherein taking the protective action includes one of: authenticating theremote server, stopping transmitting the subset of the characters to theremote server, or displaying a warning message.
 14. The system of claim13, wherein the displayed warning message includes a logo obtained froma digital certificate of a provider.
 15. A non-transitory computerreadable storage medium storing one or more programs, the one or moreprograms comprising instructions, which when executed by a system withone or more processors, cause the system to: identifying, from a userinput data stream, a first set of one or more characters, wherein thefirst set of one or more characters represents a portion of firstprivate information; identifying, from the user input data stream, asecond set of one or more characters, wherein the second set of one ormore characters represents a portion of second private information; andin accordance with a determination that the first set of characters andsecond set of characters are identified in accordance with a predefinedsequential relationship, taking a protective action, prior totransmitting at least a subset of the characters of the first or secondprivate information to a server remotely located from the computingdevice, to protect the first or second private information.
 16. Thenon-transitory computer readable storage medium of claim 15, wherein thefirst private information includes a username, the second privateinformation includes a password corresponding to the username.
 17. Thenon-transitory computer readable storage medium of claim 15, wherein thesequential relationship includes a predefined maximum number ofcharacters between the first set of characters representing the firstprivate information, and the second set of characters representing thesecond private information.
 18. The non-transitory computer readablestorage medium of claim 15, the one or more programs further comprisinginstructions, when executed, cause the system to: generating a triggerevent, and wherein the identification of the first set or second set ofcharacters is in response to the trigger event.
 19. The non-transitorycomputer readable storage medium of claim 18, wherein the trigger eventis generated based at least in part on one of: forwarding information,connection information module, electronic content information,complexity information, data transfer information, account information,or format information module.
 20. The non-transitory computer readablestorage medium of claim 15, wherein taking the protective actionincludes one of: authenticating the remote server, stopping transmittingthe subset of the characters to the remote server, or displaying awarning message.
 21. The non-transitory computer readable storage mediumof claim 20, wherein the displayed warning message includes a logoobtained from a digital certificate of a provider.